We strongly recommend using ITS-Managed services to implement IT controls specific to your sensitive data requirements. The guidelines outlined in this webpage are for researchers who have elected to use ITS-Managed services to safeguard export-controlled data. If you choose not to use ITS-Managed services, you will be responsible for ensuring that the requirements listed in the Safeguarding Export-Controlled Technical Data for System Administrators article are met, as well as the requirements listed on this webpage should your contract require this level of security.

Access Controls

Do not access export-controlled information from shared, public computers such as kiosk-type computers in libraries, hotels, and business centers, or from computers that have no local access control.

Do not post export-controlled information on public websites or websites that rely solely on IP addresses for access control. Instead, secure access using individually-assigned accounts requiring username/password, user certificates, or other user-specific authentication methods.

Protect export-controlled information by at least one physical and one logical barrier (e.g. locked container or room and login and password) when not under direct individual control.

Only persons listed in the TCP should have access to the Export-Controlled data.

System Management

User-managed devices (as specified in the IT Security Plan) must also adhere to the guidelines and must be available as needed or on schedules to OneIT staff for log analysis/offload, patch assurance, and system vetting.

Transmission of ITAR covered data

Do not transmit or email Controlled Information unencrypted. An alternative to email is to put the files in a secure location (e.g. SFTP site) and send an authenticated link in a message to whomever needs access to the file (as specified in the TCP).

Transfer controlled information only to subcontractors and collaborators listed in the TCP.

*Please note, before sharing export-controlled data, please contact the Export Control staff. Export Control will review the contractual language to ensure sharing is allowed.

Laptops

The data must be stored on a University-owned and managed single-user laptop device using whole disk encryption (e.g. FileVault2 for Mac, BitLocker for Windows, LUKS for Linux) with a unique decryption passphrase known only to the device's authorized primary user.